Sunday, October 30, 2016

Book review: Cyber Insecurity, Harrison and Herr

This book is a collection of various people's current thoughts on cyber policy - which means quality varies. In some cases, Rob Lee's chapter, you have an expert with decades of experience giving extremely valuable and in some cases new, perspectives. In others, Mailyn Fiddler's chapter for example, you have a collection of Wired magazine quotes and some half-baked opinions masquerading as analysis. Note that this book is NOT available in Kindle. :(

Let me give you some quick examples from Mailyn's chapter, since this is the chapter that most closely talks about things we all hold dear, and it's extremely bad.

All the added footnotes make it seem more authoritative, despite being ignorant nonsense.

The ability to find 0days in-house was largely a boutique capability of competent governments? The exact opposite is true. This is the problem with Mailyn writing about vulnerability markets: She cannot recognize blatant falsehoods and parrots whatever she can quote to support her built-in prejudices from random news articles which themselves are of dubious value, in this case from one of Morgan Marquis-Boire's CitizenLab reports (which doesn't support her statement at all that I can see) and an Economist article's quote from a random Marine Colonel.

Regardless, even if it had been supported from two random places that were more in tune with her argument, the statement is obviously false. We used to recommend people start at 1993 in the Bugtraq mailing list and read from there to get a sense of our history. It's still a good idea.

Here's what she means: "I have ethical qualms with the whole idea of 0day and want to shut it down any way I can, despite having NO EXPERIENCE IN THE SUBJECT!"

Many of these papers have discussed the hilarious idea that there are SOME bugs that are just TOO DANGEROUS to use for intelligence work, and we should instead give them to the vendors to fix. Let's talk a little bit about what happens when you send signals to a market that there is a product that you absolutely must have! For example, if the VEP decides to kill "All bugs that allow someone to escape the ESXi hypervisor" then what's going to happen is the price on the next hypervisor escape is going to be one million dollars. And the next one after that is ten million dollars. And if you won't buy it, the market will use your signal that ESXi vulns are super important to raise the price elsewhere. I'm not an economist but that's how you turn penicillin into a rare cancer medication!

This is her argument, so let's follow it to the natural conclusion:

For the VEP to be effective when you apply it to vendors, you have to do both of two things:

Find a way to patch bugs that the members of your market don't know about

Not just pretending they got patched by the vendor's internal team, which assumes the members of this market doesn't have better intel than you do on these things

Not silently patching them, since everyone diffs patches

Create an export-control regime that bars vendors from selling to anyone you don't want them to

Which is completely impossible

Let's take another suggestion from Mailyn's horrible paper: The idea that centralizing all bug buying in one place is going to save you money. What happens to a market when you artificially restrict the number of customers? The price goes up exponentially as sellers forgo balancing the idea of multiple customers with their opportunity risk. That, or you build another market because you've introduced a layer of red tape.

affects -> effects, if we're nitpicking. :) You could take that last sentence and have it apply to any policy paper at all, which is a true demonstration of this chapter's level of quality.

This is the main issue with the book: Nobody wants to state things in undiplomatic language so they often say a whole lot of nothing instead. The undiplomatic statement this chapter should have said is: Controlling information in the Internet age is damn near impossible. Bugs exist in software, and we need to get over it and move on with our lives. If we want other countries not to kill journalists by hacking them and then shooting them we need to be brave and tell them to stop shooting journalists or we will do more than send them a sternly worded letter.